The Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) establishes a set of national standards to address the use and disclosure of protected health information (“PHI”) by covered entities and business associates, as well as standards for individual patient’s privacy rights to understand and control how their PHI is used and disclosed.
What information is protected?
The Privacy Rule protects all PHI, which includes “individually identifiable health information” held or transmitted by a covered entity or its business associate in any form, whether electronic, paper, or oral. In comparison, there are no restrictions on the use or disclosure of de-identified health information. There are two ways to de-identify health information: (i) a formal determination by a qualified statistician, or (ii) the removal of specific identifiers, which is adequate only if the discloser has no actual knowledge that the remaining information could be used to identify the individual.
When can health information be used or disclosed?
Generally, a covered entity may not use or disclose PHI without the patient’s valid authorization; once obtained, the PHI’s use or disclosure must be consistent with the authorization. Notwithstanding, a covered entity is permitted (but not required) to use and disclose PHI without a patient’s authorization for the purposes of (i) treatment, (ii) payment and (iii) healthcare operations.
Treatment generally means the provision, coordination, management, consultation, or referral of healthcare and healthcare-related services among healthcare providers or by a healthcare provider with a third party.
Payment includes the various activities of healthcare providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of healthcare.
Healthcare operations encompass any of the following activities: (i) quality assessment and improvement activities; (ii) competency assurance activities; (iii) conducting or arranging for medical reviews, audits, or legal services; (iv) specified insurance functions; (v) business planning, development, management, and administration; and (vi) business management and general administrative activities.
Minimum Necessary Use and Disclosure
One of the chief principles of the Privacy Rule is the standard of minimum necessary use and disclosure. Covered entities and business associates must make reasonable efforts to use, disclose and request only the minimum necessary amount of PHI needed to accomplish the intended purpose of the use or disclosure. Covered entities and business associates are responsible for developing and implementing policies and procedures to follow the minimum necessary standard, including restricting the internal use and disclosure of PHI.
Because covered entities and business associates range from individuals to large, nationwide organizations, the Privacy Rule is flexible and scalable, affording covered entities and business associates the opportunity to analyze their own needs and implement solutions appropriate for their own environment. What is appropriate for a particular covered entity or business associate will depend on the nature and size of the business and resources available to it. This includes, among other practices, the designation of a privacy officer, effective workforce training, creating and enforcing sanctions for non-compliance, and mitigating potential or actual unauthorized PHI uses or disclosures.
A covered entity or business associate should maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent use or disclosure of PHI in violation of the Privacy Rule.
Matt DeNoncour is the owner of Magis Law Firm, a solo law firm based in Boston, MA, where he provides legal services to the healthcare, biotechnology, and business communities. You can reach Matt at magislawfirm.com, by phone at 857-242-6826 or by email at matt@magislawfirm.com. This post is not meant to be legal advice: learn more here.
